An attacker spent approximately $4 million to acquire enough BONK tokens to pass a governance proposal that transferred $20 million in treasury holdings to a wallet under their control, according to CoinDesk reporting.
The attacker then began selling the stolen assets. CoinDesk did not provide a precise timeline for the governance vote, execution window, or total liquidation amount as of publication.
The core vulnerability: BONK's governance structure appears to lack sufficient safeguards against whale-driven attacks. By concentrating enough voting power in a single transaction, the attacker sidestepped what should have been resistance from the broader token holder base. The treasury drain highlights a recurring weakness in decentralized protocols where governance tokens double as voting shares—an attacker who can afford the token purchase can effectively buy governance control.
No publicly confirmed details emerged about whether BONK's governance included quorum requirements, time delays between proposal and execution, or multi-signature validation on treasury transfers. The lack of such mechanisms would explain how a single large holder could move funds so quickly.
Memecoin governance structures are typically more permissive than those of larger projects, partly because early holders and development teams retain outsized control. BONK, launched as a Solana-native token, did not immediately publish a post-mortem or mitigation plan as of the CoinDesk report.
The incident raises immediate questions: How many tokens remain in the attacker's wallet? Are exchanges and liquidity venues freezing BONK trading pending clarity? Have BONK's core developers or remaining treasury custodians proposed emergency governance measures—such as a new proposal that would blacklist or recover the drained wallet, or a rollback if Solana validators agreed?
CoinDesk did not report the attacker's identity, the current status of liquidation, or any law enforcement involvement.
For BONK holders, the attack poses both a direct loss (treasury depletion reduces future project funding and runway) and a market perception hit. Token-holder confidence in governance security tends to crater after public drains, often triggering secondary sell-offs as smaller holders exit before further losses materialize.